AI has ushered in a new era of efficient business operations and processes, but as expected, the tech is proliferating in malicious ways as well. New research reveals the alarming rise in the use of AI by cybercriminals in scaling and crafting sophisticated email threats like phishing and business email compromise (BEC) attacks, how modern email security systems leverage AI to defend against modern attacks—and how you can best protect your business.
The newly released Role of AI in Email Security report from digital threat prevention firm Perception Point, in collaboration with research firm Osterman Research, reveals a substantial shift in the perception of AI’s role in email security. Cybercriminals have shown rapid adoption of AI tools to their favor, with 91.1 percent of organizations reporting that they have already encountered email attacks that have been enhanced by AI, and 84.3 percent expecting that AI will continue to be utilized to circumvent existing security systems. Consequently, AI-enabled protections are more essential than ever.
The growing perception of AI-enabled threats aligns with the increasing awareness of large language models (LLM) and generative AI services, such as ChatGPT, that have made headlines in the past year. The percentage of respondents ranking AI as “extremely important” to their email defenses has increased by more than 4x over the past 12 months. Virtually all organizations expect AI to be moderately or extremely important to their email defense
Additional takeaways include:
Email security is still top priority
Almost 4 out of 5 organizations rate addressing email security risks as a top three priority for their organization relative to all other security and risk initiatives.
Traditional email security approaches have proven less effective over time
Nearly all (96.9 percent) respondents implemented AI-enabled email security because their traditional defenses were ineffective against emergent threats.
AI-powered security is not just for email
Users of AI-enabled email security want the ability to better protect other communication and collaboration apps, such as Microsoft Teams, SharePoint, OneDrive, Zoom, and Slack, Salesforce, and more, with AI.
AI-enabled detection without responsive mitigation is misguided
Strengthening capabilities for detecting threats in email via AI is an essential first step, but it can’t end there. Organizations must train cybersecurity professionals and SOC teams to respond quickly and effectively to identified incidents, leveraging the best of what AI brings to the table.
“With the relentless surge in cyberattacks, especially GenAI-fueled phishing and BEC, the imperative for inventive preventative strategies intensifies,” said Yoram Salinger, CEO at Perception Point, in a news release. “As threat actors broaden their targets across messaging and communication channels, embracing emerging technologies and holistic security services that leverage AI is essential.”
The key takeaway is the now-critical need for advanced security measures to combat the evolving email and collaboration threat landscape, and the need to incorporate natural language processing, computer vision, and a higher level of content analysis, the report says. These malicious text-only email threats often leverage AI models like ChatGPT and Google Bard (and unethical alternatives like WormGPT and FraudGPT) to craft highly convincing email attacks that can bypass traditional security systems.
“With cybercriminals leveraging AI to make email attacks ever more dangerous, all organizations must ensure they have the right defenses in place to detect and stop attacks that are missed by traditional email security methods,” said Michael Sampson, principal analyst at Osterman Research and the author of the report, in the release.
All findings are based on findings from a survey conducted by Osterman Research. 148 security and IT decision-makers, who are familiar with how their organization is leveraging or planning to leverage AI to strengthen email security against advanced inbound, outbound, and internal email threats were surveyed in July 2023. To qualify, respondents had to work at organizations with at least 1,000 employees. All surveys were conducted in the United States and no industries were excluded or restricted.